[MacPorts] #37766: htop: binary should be installed SGID procmod, not SUID root
#37766: htop: binary should be installed SGID procmod, not SUID root -----------------------------+-------------------------------- Reporter: michael.klein@… | Owner: macports-tickets@… Type: defect | Status: new Priority: Normal | Milestone: Component: ports | Version: 2.1.2 Keywords: haspatch | Port: htop -----------------------------+-------------------------------- when installing as root, htop is installed SUID root, which allows any user to kill arbitrary processes. instead, htop should be installed SGID procmod. The attached patch adds a "procmod" variant (set as default) which does exactly this. -procmod should only be used when installing without root privileges. -- Ticket URL: <https://trac.macports.org/ticket/37766> MacPorts <http://www.macports.org/> Ports system for Mac OS
#37766: htop: binary should be installed SGID procmod, not SUID root ------------------------------+---------------------- Reporter: michael.klein@… | Owner: cal@… Type: defect | Status: new Priority: High | Milestone: Component: ports | Version: 2.1.2 Resolution: | Keywords: haspatch Port: htop | ------------------------------+---------------------- Changes (by larryv@…): * owner: macports-tickets@… => cal@… * cc: cal (removed) * priority: Normal => High Comment: Ergh. That’s no good. Elevating priority due to security implications. FYI, "Cc" takes full email addresses, not MacPorts handles. -- Ticket URL: <https://trac.macports.org/ticket/37766#comment:1> MacPorts <http://www.macports.org/> Ports system for Mac OS
#37766: htop: binary should be installed SGID procmod, not SUID root ------------------------------+---------------------- Reporter: michael.klein@… | Owner: cal@… Type: defect | Status: assigned Priority: High | Milestone: Component: ports | Version: 2.1.2 Resolution: | Keywords: haspatch Port: htop | ------------------------------+---------------------- Changes (by cal@…): * status: new => assigned Comment: I agree, installing SUID root is not a good thing in this case. I don't think I was able to kill random processes without running `htop` as `sudo htop`, though. I wonder whether my system is different there, but can't check at the moment. I also wonder whether there is a way to automatically determine when we're in a non-root installation and change the default variants accordingly. -- Ticket URL: <https://trac.macports.org/ticket/37766#comment:2> MacPorts <http://www.macports.org/> Ports system for Mac OS
#37766: htop: binary should be installed SGID procmod, not SUID root ------------------------------+---------------------- Reporter: michael.klein@… | Owner: cal@… Type: defect | Status: closed Priority: High | Milestone: Component: ports | Version: 2.1.2 Resolution: fixed | Keywords: haspatch Port: htop | ------------------------------+---------------------- Changes (by cal@…): * status: assigned => closed * resolution: => fixed Comment: Fixed by patching Makefile.am (we need to run autoconf anyway) in r102085. -- Ticket URL: <https://trac.macports.org/ticket/37766#comment:4> MacPorts <http://www.macports.org/> Ports system for Mac OS
#37766: htop: binary should be installed SGID procmod, not SUID root ------------------------------+---------------------- Reporter: michael.klein@… | Owner: cal@… Type: defect | Status: reopened Priority: High | Milestone: Component: ports | Version: 2.1.2 Resolution: | Keywords: haspatch Port: htop | ------------------------------+---------------------- Changes (by cal@…): * status: closed => reopened * resolution: fixed => Comment: Using this change, htop can no longer display the command line of processes belonging to other users (it will only display the program basename). Is there a way to fix this? -- Ticket URL: <https://trac.macports.org/ticket/37766#comment:5> MacPorts <http://www.macports.org/> Ports system for Mac OS
#37766: htop: binary should be installed SGID procmod, not SUID root ------------------------------+---------------------- Reporter: michael.klein@… | Owner: cal@… Type: defect | Status: reopened Priority: High | Milestone: Component: ports | Version: 2.1.2 Resolution: | Keywords: haspatch Port: htop | ------------------------------+---------------------- Comment (by rharwood@…): Speaking of non-root installations, installing htop now fails if the user is not a member of group procmod (i.e., if the install user is not root). This is a regression, as installing htop as the non-root user worked previously. -- Ticket URL: <https://trac.macports.org/ticket/37766#comment:6> MacPorts <http://www.macports.org/> Ports system for Mac OS
#37766: htop: binary should be installed SGID procmod, not SUID root ------------------------------+---------------------- Reporter: michael.klein@… | Owner: cal@… Type: defect | Status: reopened Priority: High | Milestone: Component: ports | Version: 2.1.2 Resolution: | Keywords: haspatch Port: htop | ------------------------------+---------------------- Comment (by cal@…): The regression should be fixed in r102094. Please run selfupdate and try again. -- Ticket URL: <https://trac.macports.org/ticket/37766#comment:8> MacPorts <http://www.macports.org/> Ports system for Mac OS
#37766: htop: binary should be installed SGID procmod, not SUID root ------------------------------+---------------------- Reporter: michael.klein@… | Owner: cal@… Type: defect | Status: reopened Priority: High | Milestone: Component: ports | Version: 2.1.2 Resolution: | Keywords: haspatch Port: htop | ------------------------------+---------------------- Comment (by rharwood@…): Replying to [comment:8 cal@…]:
The regression should be fixed in r102094. Please run selfupdate and try again.
Looks good, thanks! -- Ticket URL: <https://trac.macports.org/ticket/37766#comment:9> MacPorts <http://www.macports.org/> Ports system for Mac OS
#37766: htop: binary should be installed SGID procmod, not SUID root ------------------------------+---------------------- Reporter: michael.klein@… | Owner: cal@… Type: defect | Status: closed Priority: High | Milestone: Component: ports | Version: 2.1.2 Resolution: fixed | Keywords: haspatch Port: htop | ------------------------------+---------------------- Changes (by jmr@…): * status: reopened => closed * resolution: => fixed -- Ticket URL: <https://trac.macports.org/ticket/37766#comment:10> MacPorts <http://www.macports.org/> Ports system for Mac OS
#37766: htop: binary should be installed SGID procmod, not SUID root ------------------------------+---------------------- Reporter: michael.klein@… | Owner: cal@… Type: defect | Status: reopened Priority: High | Milestone: Component: ports | Version: 2.1.2 Resolution: | Keywords: haspatch Port: htop | ------------------------------+---------------------- Changes (by cal@…): * status: closed => reopened * resolution: fixed => Comment: Please do not close this issue until we have discussed if (and how) full functionality of htop can be restored without SUID root. -- Ticket URL: <https://trac.macports.org/ticket/37766#comment:11> MacPorts <http://www.macports.org/> Ports system for Mac OS
#37766: htop: binary should be installed SGID procmod, not SUID root ------------------------------+---------------------- Reporter: michael.klein@… | Owner: cal@… Type: defect | Status: reopened Priority: High | Milestone: Component: ports | Version: 2.1.2 Resolution: | Keywords: haspatch Port: htop | ------------------------------+---------------------- Comment (by raimue@…): Replying to [comment:11 cal@…]:
Please do not close this issue until we have discussed if (and how) full functionality of htop can be restored without SUID root.
I doubt this can be restored. For example, `/bin/ps` is also configured as SUID root. If you lower it's permissions it only shows the base name in parentheses for processes of other users. As far as I checked, both are using `task_for_pid()` and `task_info()`, which are restricted to root or signed applications (via authorization policies controlled by taskgated(8) using rules from `/etc/authorization`). According to man page taskgated(8), legacy versions of OS X granted permissions for procmod and procview. I am not even sure whether the group procmod does anything useful at the moment. I did not notice a change in the behavior of htop whether the permissions are ''root:procmod 2755'' or ''root:admin 0755''. -- Ticket URL: <https://trac.macports.org/ticket/37766#comment:12> MacPorts <http://www.macports.org/> Ports system for Mac OS
#37766: htop: binary should be installed SGID procmod, not SUID root ------------------------------+---------------------- Reporter: michael.klein@… | Owner: cal@… Type: defect | Status: reopened Priority: High | Milestone: Component: ports | Version: 2.1.2 Resolution: | Keywords: haspatch Port: htop | ------------------------------+---------------------- Comment (by michael.klein@…): Replying to [comment:12 raimue@…]:
Replying to [comment:11 cal@…]:
Please do not close this issue until we have discussed if (and how) full functionality of htop can be restored without SUID root.
I doubt this can be restored. For example, `/bin/ps` is also configured as SUID root.
So just leave it SUID root then and add additional checks in the code? I can think of four places that need an additional check: * killing processes (obviously) * raising/lowering priority * the call to lsof(8) * the call to strace (doesn't exist in OS X, check still required) I'm attaching a patch to close these holes, but I'm not sure if there are more :-/
According to man page taskgated(8), legacy versions of OS X granted permissions for procmod and procview. I am not even sure whether the group procmod does anything useful at the moment. I did not notice a change in the behavior of htop whether the permissions are ''root:procmod 2755'' or ''root:admin 0755''.
I can't speak for recent versions, but on 10.5, memory information is only shown for the htop process itself in the second case. -- Ticket URL: <https://trac.macports.org/ticket/37766#comment:14> MacPorts <http://www.macports.org/> Ports system for Mac OS
#37766: htop: binary should be installed SGID procmod, not SUID root ------------------------------+---------------------- Reporter: michael.klein@… | Owner: cal@… Type: defect | Status: closed Priority: High | Milestone: Component: ports | Version: 2.1.2 Resolution: fixed | Keywords: haspatch Port: htop | ------------------------------+---------------------- Changes (by cal@…): * status: reopened => closed * resolution: => fixed Comment: I think that should be it. Applied in r102162. -- Ticket URL: <https://trac.macports.org/ticket/37766#comment:15> MacPorts <http://www.macports.org/> Ports system for Mac OS
participants (1)
-
MacPorts